“The poisoned BITS tasks, which created installation and clean-up scripts after their payloads were downloaded, were self-contained in the BITS job database, with no files or registry modifications to detect on the host,” a SecureWorks blog post stated.
Malware creators have previously used Microsoft's BITS to launch similar attacks by downloading malware updates, initially in May 2007 and most recently in December 2015.